IntenseWebs/boringproxy
3
0
Fork 0
mirror of https://github.com/boringproxy/boringproxy.git synced 2025-02-25 18:55:29 -06:00
Code Issues Packages Projects Releases Wiki Activity

Delete tokens when user is deleted

Browse Source 
Also added DeleteUser to API
This commit is contained in:
Anders Pitman 2020-10-30 18:50:24 -06:00
parent 7ac1f3e22c
commit 7f81163845
3 changed files with 38 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
api.go
View File

@ -409,6 +409,34 @@ func (a *Api) CreateUser(tokenData TokenData, params url.Values) error {
return nil
}
func (a *Api) DeleteUser(tokenData TokenData, params url.Values) error {
user, _ := a.db.GetUser(tokenData.Owner)
if !user.IsAdmin {
return errors.New("Unauthorized")
}
username := params.Get("username")
if username == "" {
return errors.New("Invalid username parameter")
}
_, exists := a.db.GetUser(username)
if !exists {
return errors.New("User doesn't exist")
}
a.db.DeleteUser(username)
for token, tokenData := range a.db.GetTokens() {
if tokenData.Owner == username {
a.db.DeleteTokenData(token)
}
}
return nil
}
func (a *Api) SetClient(tokenData TokenData, params url.Values, ownerId, clientId string) error {
if tokenData.Owner != ownerId {

7
todo.md
View File

@ -2,14 +2,12 @@
- [ ] Requires OpenSSH 7.7+ for PermitListen option
- [ ] Finish website
- [ ] Demo instance
- [ ] Demo auto email signup
- [ ] Publish releases
- [ ] Demo video
- [ ] Post on /r/selfhosted
- [ ] Improve SSH key download UI.
- [ ] Improve token list UI.
- [ ] Invalid database is wiping out tunnels
- [ ] Delete tokens when user is deleted
- [x] Head can be rendered before h.headHtml is ever set, ie if login page is visited before any other page
- [x] Responses to unauthorized requests are leaking information about the current tunnels through the generated CSS.
- [x] I think it's possible to create tokens for arbitrary user, even if you're not that user.
@ -17,6 +15,9 @@
- [x] Anyone can delete tokens
- [x] QR codes for admin are broken
- [x] General security review.
- [x] Demo instance
- [x] Demo auto email signup
- [x] Delete tokens when user is deleted
# Eventually

20
ui_handler.go
View File

@ -167,13 +167,7 @@ func (h *WebUiHandler) handleWebUiRequest(w http.ResponseWriter, r *http.Request
case "/confirm-delete-user":
h.confirmDeleteUser(w, r)
case "/delete-user":
if user.IsAdmin {
h.deleteUser(w, r)
} else {
w.WriteHeader(403)
h.alertDialog(w, r, "Not authorized", "/#/tunnels")
return
}
h.deleteUser(w, r, tokenData)
case "/logo.png":
logoPngBytes, err := box.Bytes("logo.png")
@ -607,18 +601,16 @@ func (h *WebUiHandler) confirmDeleteUser(w http.ResponseWriter, r *http.Request)
tmpl.Execute(w, data)
}
func (h *WebUiHandler) deleteUser(w http.ResponseWriter, r *http.Request) {
func (h *WebUiHandler) deleteUser(w http.ResponseWriter, r *http.Request, tokenData TokenData) {
r.ParseForm()
if len(r.Form["username"]) != 1 {
w.WriteHeader(400)
w.Write([]byte("Invalid username parameter"))
err := h.api.DeleteUser(tokenData, r.Form)
if err != nil {
w.WriteHeader(500)
h.alertDialog(w, r, err.Error(), "/#/users")
return
}
username := r.Form["username"][0]
h.db.DeleteUser(username)
http.Redirect(w, r, "/#/users", 303)
}